webbrowser module + urls ending in .py = a security hole?

Bengt Richter bokr at oz.net
Mon Jan 30 19:25:10 EST 2006

On 30 Jan 2006 14:39:29 -0800, "Paul Boddie" <paul at boddie.org.uk> wrote:

>Peter Hansen wrote:
>> I'd agree.  I suspect this ought to be reported as a security flaw,
>> though it would be nice to know what the fix should be before doing so.
>>   Anyone know a more suitable approach on Windows than just passing
>> things off to startfile()?
>I wouldn't mind knowing if os.startfile is the best way to open
>resources on Windows, and whether there's a meaningful distinction
>between opening and editing resources that is exposed through an
>existing Python library. My interest is in making the desktop module a
>useful successor to webbrowser:
>Of course, since desktop.open leaves the exact meaning of "to open" to
>the user's desktop configuration, if that configuration then causes a
>Python program to be executed without some kind of confirmation,
>there's a fairly good argument for claiming that the configuration is
>broken - yes, it's the classic Microsoft convenience vs. security
>dilemma, circa 1998.
>For webbrowser, the opportunity to move blame to the user's environment
>is somewhat reduced, since the expectation of "browsing" a Python
>program would often be to show the text of that program. Given that
>webbrowser, in order to do its work, may rely on some environment
>mechanism that doesn't have the same view of "browsing" programs, there
>is a good argument for decoupling the module from those mechanisms
>entirely, although I can imagine that the resulting code would struggle
>even then to do the right thing.
I suppose a desktop config file with a sequence of regex patterns and associated defined actions
could dispatch urls to shell, browser, or custom app as desired, overriding
registry and/or browser settings by being first to decide. E.g., config might
have CSV-style command,params,... lines like

define,editor,C:\WINNT\system32\vimr.cmd "%1"
define,browser,D:\MOZ\MOZILL~1\MOZILL~1.EXE -url "%1"
define,savedialog,C:\util\savedialog.cmd "%1"

(I think this is more generally powerful than typical .INI file structure,
since you can define a very simple interpreter to do about anything with the
CSV data rows in order, including nesting things, if you make commands
that enter and exit nests. E.g.,

etc. etc)
Of course, you can jigger an INI file to contain any info you want also,
even using the windows {Get,Write}PrivateProfile{String,Int,Section,SectionNames}
API functions, which like many MS APIs IME of yore seem to work simply if you conform to
their usage preconceptions, but punish you with info discovery hell otherwise ;-)

Bengt Richter

More information about the Python-list mailing list